Facebook Privacy

Introduction

Facebook was started by Mark Zuckerberg as a social networking site for Harvard undergraduates in 2004. Facebook then expanded to other colleges and universities. For a period of time, users required an "edu" email address to join. Users would join a "network" with its own subdomain (for example, the University of Pennsylvania is at upenn.facebook.com) that related to their university affiliation.

The concept of a network is important for the privacy experience of a facebook user because one can usually set their privacy controls to allow access to anyone, to their friends, or to members of their networks. On February of 2006, Facebook began allowing high school students and members of some large companies to join, still all in their respective networks. In September of 2006, Facebook began to allow anyone to join by associating themselves with a network for an employer or a geographic location such as city.

In October of 2007 Microsoft purchased a 1.6 percent stake in Facebook for 240 million dollars. That deal valued Facebook at 15 billion dollars. Facebook provides a website with current statistical snapshot of its user base. In December of 2007, Facebook had 58 million users. At the 15 billion value, this means 258 dollars per user.

Senator Mark Warner has asked the Federal Trade Commission to investigate the legality of Facebook's emotional manipulation study. In a letter to the Commission, Senator Warner stated that "it is not clear whether Facebook users were adequately informed and given an opportunity to opt-in or opt-out." He asked the FTC to conduct an investigation to see "if this 2012 experiment violated Section 5 of the FTC Act or the 2011 consent agreement with Facebook," two issues raised in EPIC's earlier complaint. "The company purposefully messed with people's minds," wrote EPIC in a complaint to the Commission. EPIC charged that Facebook violated a consent decree that required the company to respect user privacy and also engaged in a deceptive trade practice. EPIC has asked the FTC to require that Facebook make public the News Feed algorithm. For more information, see EPIC: In re Facebook, EPIC: In re Facebook (Psychological Study), and EPIC: FTC.

Facebook has announced that it will collect detailed browser history on users for advertising purposes. Users who object were told to opt-out. The plan may violate a Federal Trade Commission order, prohibiting Facebook from changing its business practices without users’ express consent. The FTC order follows from complaints filed by EPIC and other consumer privacy organizations in 2009 and 2010. In issuing the order, the FTC found that Facebook "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public." A recent Consumer Reports poll found that consumers overwhelmingly object to having their online activities tracked for advertising purposes. For more information, see EPIC: Facebook Privacy, EPIC: FTC Facebook Settlement, EPIC: Online Tracking and Behavioral Profiling, and EPIC: Practical Privacy Tools.

The Ninth Circuit found that the companies may have violated Facebook's privacy policies when they disclosed user information for advertising purposes. Separately, the court ruled that there was no violation of the Electronic Communications Privacy Act because the data disclosed (including Facebook IDs and HTTP referers) is not "contents" of a communication. Congress is set to consider several ECPA reforms, and could fix the court's ruling by making clear that the law prevents the disclosure of personally identifiable information. For more information, see EPIC: Electronic Communications Privacy Act and EPIC: Facebook Privacy.

Amidst growing concern about Facebook's disclosure of user information to third parties, the company has announced two new privacy options. Users may now decide how much of their information to disclose to Facebook apps before signing up. Users may also test apps anonymously - without transmitting the Facebook User ID to the developer. The changes appear to be a response to the 2011 Consent Order, pursued by EPIC and a coalition of privacy organization, that requires the company to obtain express affirmative consent from users before disclosing personal information to third parties. In the first report on Internet privacy, "Surfer Beware: Personal Privacy and the Internet" (1997), EPIC said web sites should "support anonymity while developing policies and practices to protect information privacy." For more information, see EPIC: Facebook Privacy, EPIC: Internet Anonymity, and EPIC: FTC.

Facebook has begun removing a privacy setting that allowed users to opt-out from their name being included in its “Graph Search” feature. All users, even those who had previously decided to remove their name from searches, will now be included in Graph Search results. Facebook is currently under a 20 year consent decree from the FTC that requires express affirmative consent from users before disclosing personal information which exceeds the restrictions imposed by users' privacy settings. Facebook announced the change last year, at which point EPIC warned about the consequences of Facebook removing privacy settings for its users. In 2012, EPIC sent a letter to Facebook requesting a reversal of policy changes that automatically shared users’ private information. For more information, see EPIC: Facebook and EPIC: In re Facebook.

Facebook is under increasing pressure to withdraw proposed changes that would allow the company to use the names, images, and content of Facebook users for advertising without consent. After EPIC and several privacy groups wrote to the Federal Trade Commission that the changes would violate a 2011 Consent Order, the Commission has opened an investigation. Senator Ed Markey also wrote to the FTC, stating that Facebook's changes "raise[] a number of questions about whether Facebook is improperly altering its privacy policy without proper user consent and, if the changes go into effect, the degree to which Facebook users will lose control over their personal information." Senator Al Franken has called on Facebook to reconsider expansion of its facial recognition activity. In a letter to Mark Zuckerberg, Senator Franken asked "How many face prints does Facebook have?" For more information, see EPIC: EPIC: Federal Trade Commission and EPIC: Facebook Privacy.

EPIC, joined by several leading privacy and consumer protection organizations, has called on the Federal Trade Commission to enforce the terms of a 2011 settlement with Facebook. Facebook recently announced changes that would allow the company to routinely use the names, images, and content of Facebook users for commercial advertising without consent. The changes arise from a flawed class action settlement over Facebook’s Sponsored Stories program. In the letter, the privacy groups explain that Facebook’s changes violate the terms of a 2011 settlement with the FTC. For more information, see EPIC: Federal Trade Commission and EPIC: Facebook Privacy.

EPIC has submitted Freedom of Information Act requests for the release of the privacy assessments of Facebook and MySpace submitted to the Federal Trade Commission. As a result of privacy violations, bothcompanies are required to implement comprehensive privacy programs and submit to independent, biennial evaluations for 20 years. Previously, EPIC obtained a copy of Google's initial privacy assessment that redacted information about the standards by which the assessment was completed, the test procedures used to assess the effectiveness of Google's privacy controls, the procedures Google uses to identify privacy risks, and the types of personal data Google collects from users. The FTC settlements with Facebook and Google arose from complaints brought by EPIC and other consumer organizations. In comments to the agency on the proposed settlements, EPIC recommended that the privacy assessments be publicly available. For more information, see EPIC: Federal Trade Commission and EPIC: Open Government.

The Ninth Circuit has refused to hear an appeal in a case involving a class-action lawsuit over Facebook’s Beacon program, which disclosed personal information without user consent. "Cy pres" ("as near as possible") is a legal doctrine that allows courts to allocate funds to protect the interests of individuals when there is a class action settlement. Courts typically provide cy pres awards that reflect the reason for the litigation and are aligned with the interests of class members. In the Facebook case the court chose instead to provide the funds to a new foundation created by Facebook, which was appealed. Six judges dissented from the denial, writing that "the majority in this case creates a significant loophole in our case law that will confuse litigants and judges, while endorsing cy pres settlements that in no way benefit class members." EPIC previously highlighted the dangers of improper cy pres distributions in settlements. For more information, see EPIC: Fraley v. Facebook, EPIC: Lane v. Facebook, and EPIC: In re: Google Buzz.

Instagram announced that it would withdraw proposed changes to its terms of service announced earlier this week. Instagram backed off a plan to use the names, images, and photos of users for advertising purposes, pleading instead to "complete our plans, and then come back to our users and explain how we would like for our advertising business to work." Instagram's parent company, Facebook, is bound by the terms of a settlement with the Federal Trade Commission, initiated in 2009 by EPIC and other consumer privacy organizations, that prohibits the company from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. A recent letter to Facebook CEO Mark Zuckerberg from EPIC and the Center for Digital Democracy warned that Facebook's proposed changes would adversely affect Instagram users. For more information, see EPIC: Facebook, EPIC: In re Facebook, and EPIC: FTC.

Instagram recently announced several changes to the terms of service that will allow the company to use pictures in advertisements without notifying or compensating users, and to disclose user data to Facebook and to advertisers. Instagram also proposed that the parents of minors implicitly consent to the use of their childrens' images for advertising purposes. The changes The changes will take effect January 16, 2013, and will not apply to pictures uploaded before that date. Instagram’s parent company, Facebook, is under a 2011 consent order with the Federal Trade Commission that that prohibits the company from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users’ personal information. Using an individual’s name or likeness for commercial purposes without consent is also prohibited in most states. EPIC had recently urged Facebook users to vote for "Existing Documents," warning that under the changed terms of service, Facebook would loosen privacy controls and that would impact Instagram. For more information, see EPIC: Facebook and EPIC: FTC.

Facebook announced changes to its privacy controls and the privacy settings of its users. The changes include settings that allow users to choose which information apps can access and disclose, and a privacy shortcuts menu. But Facebook also removed an option that allowed users to hide themselves from strangers through Facebook’s search function. The changes follow an election conducted by Facebook in which 88 percent of voters opposed changing the privacy policy and voting rights of users. EPIC previously wrote to the Federal Trade Commission regarding the blanket disclosure features of certain apps and the proposal to end the voting part of the site governance process Facebook. Facebook is currently subject to a settlement with the FTC over privacy violations. For more information, see EPIC: Facebook and EPIC: In re Facebook.

Preliminary results from the recent Facebook Site Governance Vote, indicate that 589,141 Facebook users voted to keep the existing Statement of Rights and Responsibilities and Privacy Policy. Only 79,731 voted for the proposed changes. In the largest vote in Facebook history, approximately 88% of users who voted favored the existing documents. EPIC and the Center for Digital Democracy earlier wrote FB CEO Mark Zuckerberg, recommending that the proposal be withdrawn. In 2009, Facebook withdrew proposed changes to the Terms of Service after 150,000 users formed a group "FB Users Against the New TOS." In 2007, FB backed off "Beacon," a controversial marketing technique, when 50,000 users signed a petition. Facebook is currently under a consent order with the US Federal Trade Commission. For more information, see EPIC: Facebook.

Facebook has proposed changes to its policies that would (1) end user voting, (2) remove spam blocking, and (3) share FB user data with affiliates without user consent. EPIC and others are urging Faceboook users to participate in the Facebook Governance Vote and to vote for EXISTING documents. Anyone with a Facebook account can VOTE HERE. #existingdocuments

EPIC, along with the Center for Digital Democracy, has asked Facebook to withdraw proposed changes that will impact the privacy of users and their ability to participate in site governance. Facebook recently proposed to end the voting part of the site governance process, restrict users' ability to prevent unwanted messages, and combine personal information from Facebook with Instagram. In the letter, the groups say "[b]ecause these proposed changes raise privacy risks for users, may be contrary to law, and violate your previous commitments to users about site governance, we urge you to withdraw the proposed changes." Facebook users may also comment directly on the proposed changes. Facebook is subject to the terms of a recent settlement with the Federal Trade Commission that prohibits the company from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. For more information, see EPIC: Facebook.

EPIC, joined by the Center for Digital Democracy, has asked the Federal Trade Commission to investigate whether Facebook's data-matching arrangement with Datalogix violates a settlement between the FTC and Facebook. Facebook is matching the personal information of users with personal information held by Datalogix. The settlement, adopted in August, prohibits Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users’ personal information. EPIC had previously asked the FTC to determine whether "Timeline," which made archived user data widely available, or biometric tagging of user photos violated the terms of the consent order. The FTC has not made a determination on the EPIC Timeline request, and Facebook has suspended facial recognition in the US. For more information, see EPIC: Federal Trade Commission and EPIC: Facebook and Datalogix.

The Irish Data Protection Commissioner issued a report finding that Facebook has implemented many of the Commissioner’s recommendations, such as halting the automatic use of facial recognition through "tag suggestions." Facebook has agreed to give users the choice over the use of facial recognition, to grant users access to their facial recognition template, and to delete the facial recognition data of EU citizens by October 15. The report also found that Facebook had implemented recommendations for improving transparency, enhancing the ability for users to delete data, and allowing users to access their data. On recommendations concerning user education, data deletion, and as targeting based on sensitive terms, the report found that "full implementation has not yet been achieved but is planned to be achieved by a specific deadline." The Federal Trade Commission recently adopted a proposed settlement with Facebook that prohibits Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. In November 2011, EPIC recommended that the FTC prevent Facebook from creating facial recognition profiles without users' consent. In February 2012. EPIC recommended "the suspension of facial recognition technology deployment until adequate safeguards and privacy standards are established." For more information, see EPIC: Federal Trade Commission and EPIC: Facebook and Facial Recognition.

A federal judge has rejected a proposed settlement in a class-action lawsuit about Facebook's unapproved use of user images for advertising purposes. The judge, who had previously expressed skepticism about the terms of the settlement, wrote that the plaintiffs had not justified the lack of direct monetary payments to Facebook users, nor had they explained how users will receive an economic benefit from being able to opt out of future endorsements. EPIC and several consumer privacy organizations opposed the settlement, saying that there was little benefit to Facebook users and that the cy pres allocation was not aligned with the interests of the class. In 2009 and 2010 EPIC and a coalition of consumer privacy organizations brought a successful complaint to the Federal Trade Commission that resulted in a significant consent order. In a letter to the court following the recent court order, EPIC explained that the FTC settlement had produced far greater benefits for Facebook users. For more information, see EPIC: In re Facebook.

The Federal Trade Commission has finalized the terms of a settlement with Facebook first announced in November of 2011. The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 over Facebook’s decision to change its users' privacy settings in a way that made users' personal information more widely available to the public and to Facebook's business partners. The settlement bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. In comments filed with the FTC, EPIC recommended strengthening the settlement by requiring Facebook to restore the privacy settings users had in 2009; giving users access to all of the data that Facebook keeps about them; preventing Facebook from creating facial recognition profiles without users’ consent; and publicizing the results of the government privacy audits. Although the FTC decided to adopt the settlement without any modifications, in a response to EPIC, the Commission said that facial recognition data is included within the settlement's definition of "covered information," that the audits would be publicly available to the extent permitted by law, and that the terms of the settlement "are broad enough to address misconduct beyond that expressly challenged in the complaint." Commissioner Rosch dissented from the final settlement, citing concerns that the provisions might not adequately cover deceptive statements made by Facebook apps. For more information, see EPIC: In re Facebook, and EPIC: Federal Trade Commission.

At a preliminary hearing on a proposed settlement involving Facebook "sponsored stories," Judge Seeborg expressed skepticism about the deal, wondering if there was any actual benefit to Facebook users. The deal, which had been endorsed by some groups funded by Facebook, was opposed by EPIC and several consumer privacy organizations. In 2009, EPIC and a coalition of consumer privacy organizations brought a successful complaint to the FTC that resulted in a significant consent order. For more information, see In re Facebook.

EPIC has asked a federal judge to reject a pending class action settlement concerning Facebook, stating that it does not actually benefit Facebook users. In one letter to the court, EPIC explained that the settlement does not fix the problem with "Sponsored Stories." In a second letter, joined by consumer, privacy, and academic organizations, EPIC said that "cy pres" funds should be distributed according to objective criteria, as courts have done in other similar cases. (Cy pres allows courts to allocate funds in class action settlements.) In 2009, EPIC led a coalition of consumer and privacy organizations that was responsible for the FTC's privacy settlement with Facebook.] And EPIC has routinely represented the interests of Facbeook users. For more information, see EPIC: Facebook Privacy.

EPIC has asked the Federal Trade Commission to review Facebook's decision to change the default email address of Facebook users. The company recently removed email addresses, selected by users, with a @facebook.com address assigned by Facebook. EPIC asked the FTC to review this practice as it finalizes the terms of a settlement with Facebook. "Facebook's willingness to disregard user choice . . . raise[s] important questions about the company's ability to comply with the terms of the proposed Consent Order," EPIC wrote. EPIC also said that the change is a deceptive business practice because Facebook did not tell users that their preferred email address could be removed by the company. And EPIC noted that the change would result in user email being sent to Facebook's servers that would otherwise have gone to the user's email service. The FTC's settlement with Facebook follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010. The settlement would bar Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement.

Facebook announced the acquisition of Face.com, a facial recognition technology company and long-time business partner of Facebook. Facebook uses an automatic facial recognition system, called "tag suggestions," to create a database of users' biometric information. Last year, EPIC filed a complaint with the Federal Trade Commission, stating that Facebook created biometric profiles of users without their explicit consent, failed to provide a clear mechanism for the deletion of these profiles, and failed to take adequate safeguards to ensure that users' biometric information would not be accessible to government agents and other third parties. In recent comments to the FTC, EPIC recommended the suspension of facial recognition technology deployment until adequate safeguards and privacy standards are established. For more information, see EPIC: Facial Recognition and EPIC: Facebook and Facial Recognition.

Facebook users have registered enough comments on Facebook's proposed privacy changes to force a vote on the issue. A provision in Facebook’s Statement of Rights and Responsibilities states that Facebook will allow users to vote on proposed alternatives if more than 7,000 users comment on a proposed change. The vote is binding if "more than 30 percent of all active registered users as of the date of the notice vote." Facebook's Data Use Policy accumulated 10,500 comments in English. The group Europe v. Facebook generated 30,000 comments on the German version of the page. The FTC recently issued a proposed settlement with Facebook that follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010. The settlement bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement.

Reps. Eliot Engel (D-NY) and Jan Schakowsky (D-IL) introduced the Social Networking Online Protection Act, a bill that would prohibit employers, colleges, universities, and K-12 schools from seeking usernames or passwords for the social media accounts of employees or students. Similar legislation was introduced in California. Maryland became the first state to ban employers from asking employees or applicants for social networking passwords. Senators Blumenthal and Schumer have asked the Equal Employment Opportunity Commission and the U.S. Department of Justice to investigate the practice. For more information, see EPIC: Workplace Privacy and EPIC: Facebook Privacy.

Facebook has re-opened its Statement of Rights and Responsibilities for comment after making changes to the original document. Although users’ personal data can still be accessed by the apps of their friends, Facebook clarified that users could prevent this by changing the “Apps and Websites” settings. Facebook also deleted a provision reserving the right to “exclude or limit the provision of any service or feature in our sole discretion” in certain geographic areas after users raised concerns about censorship. The FTC recently issued a proposed settlement with Facebook after finding that Facebook "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public." The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 and bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. In comments filed with the FTC, EPIC recommended that Facebook restore the privacy settings that users had in place when the violations occurred. In response to Facebook's prior policy change, EPIC noted that the data-disclosure practices of applications implicated issues that led the creation of the consent order. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement.

The New York Times reported that Facebook would provide users with a downloadable archive containing many types of data that the company stores about users. Although the new archive contains more user information than Facebook first offered in 2010, Max Schrems, the German law student and founder of Europe v. Facebook, said that Facebook is still only providing 39 of 84 data categories. EPIC called on Facebook to give users full access to all of the data that the company keeps about them through EPIC’s Know What They Know campaign. In comments on a settlement between Facebook and the Federal Trade Commission, EPIC recommended that the FTC require Facebook to give users full access to their data. For more information, see EPIC: Facebook Privacy and EPIC: Know What They Know.

The Maryland legislature passed the first bill banning employers from asking employees or applicants for social networking passwords. The bill was introduced after Robert Collins, an employee at the Department of Public Safety and Correctional Services, was asked to turn over his Facebook password as part the process of being reinstated as a corrections officer. Recently, Senators Blumenthal and Schumer asked the Equal Employment Opportunity Commission and the U.S. Department of Justice to investigate the practice of employers asking job applicants to surrender user names and passwords for social networking sites like Facebook. For more information, see EPIC: Workplace Privacy and EPIC: Facebook Privacy.

Senators Blumenthal and Schumer asked the Equal Employment Opportunity Commission and the Department of Justice to investigate the practice of employers asking job applicants to surrender Facebook user names and passwords. The Senators pointed out that accessing an applicant's profile could reveal sensitive information that employers are not permitted to ask about or base hiring decisions on. Thus, employers could be violating the Civil Rights Act and other federal laws, including the Stored Communication Act and the Computer Fraud and Abuse Act, which prohibit "unauthorized access" to electronic information. “Requiring applicants to provide login credentials to secure social media websites and then using those credentials to access private information stored on those sites may be unduly coercive and therefore constitute unauthorized access under both [Acts]," the letter states. For more information, see EPIC: Workplace Privacy and EPIC: Facebook Privacy.

Facebook has begun to review comments on changes to its Statement of Rights and Responsibilities. Among other changes, Facebook now states that a user's information is disclosed to apps used by his or her friends, that Facebook software or plugins that users download may automatically download updates, upgrades, and additional features, and that users may not tag others who do not wish to be tagged. The FTC recently issued a proposed settlement with Facebook after finding that Facebook "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public." In particular, the FTC found that Facebook had misled users about the extent to which their personal information would be made available to apps used by their friends. The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 and bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. In comments filed with the FTC, EPIC said that the settlement is "insufficient to address the concerns originally identified by EPIC and the consumer coalition, as well as those findings established by the Commission." For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement.

A Pew study found that users are becoming more active in managing their social media accounts. Compared to 2009, a higher percentage of users reported deleting people from their “friends” lists, deleting comments made by others on their profile, and removing their names from photos in which they were tagged. The report also found that women and young users were the most active in protecting their privacy. The Federal Trade Commission is currently finalizing a consent order with Facebook over charges that the company changed users' privacy settings to make personal information more available to the public and to Facebook's business partners. For more information, see EPIC: Social Networking Privacy, EPIC: Facebook Privacy, and EPIC: Public Opinion and Privacy.

In detailed comments to the Federal Trade Commission, EPIC today recommended the suspension of facial recognition technology deployment until adequate safeguards and privacy standards are established. EPIC said that facial recognition is often used by strangers to determine a person's actual identity and that this poses a risk to privacy and personal security. EPIC also noted that some companies have adopted techniques that are more favorable to privacy as they allow users to control the image database while others undermine privacy, as the image database is centrally maintained. EPIC previously submitted a complaint to the FTC about Facebook's use of facial recognition technology to build a secret database of users' biometric data and allowing the company to automatically tag users in photos. The comments follow an FTC workshop exploring the privacy and security issues raised of facial recognition technology. For more information, see EPIC: Federal Trade Commission, EPIC: Face Recognition, and EPIC: Facebook and Face Recognition.

EPIC sent a letter requesting that the Federal Trade Commission determine whether changes Facebook has made to the profiles of its users are consistent with the terms of a settlement reached between Facebook and the FTC. EPIC's letter states that "with Timeline, Facebook has once again taken control over the user's data from the user and has now made information that was essentially archived and inaccessible widely available without the consent of the user." The settlement requires Facebook to give users clear and prominent notice and obtain users' express consent before changing their privacy settings. EPIC sent a similar letter to the FTC about Timeline and the secret tracking of users in September 2011. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement.

EPIC submitted comments to the FTC on a proposed settlement with Facebook. The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 over Facebook’s decision to change its users' privacy settings in a way that made users' personal information more widely available to the public and to Facebook's business partners. The settlement bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. However, EPIC said that the settlement is "insufficient to address the concerns originally identified by EPIC and the consumer coalition, as well as those findings established by the Commission." In order to address the issues raised by the complaints, respond to recent changes in Facebook's business practices like Timeline, and fulfill the FTC's duty to act in the public interest, EPIC recommended that the settlement be improved. Specifically, EPIC recommended that the FTC require Facebook to restore the privacy settings users had in 2009; give users access to all of the data that Facebook keeps about them; stop making facial recognition profiles without users' consent; make the results of the government privacy audits public; and stop secretly tracking users across the web. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement.

EPIC has filed a Freedom of information Act lawsuit against the Department of Homeland Security to force disclosure of the details of the agency's social network monitoring program. In news reports and a Federal Register notice, the DHS has stated that it will routinely monitor the public postings of users on Twitter and Facebook. The agency plans to create fictitious user accounts and scan posts of users for key terms. User data will be stored for five years and shared with other government agencies.The legal authority for the DHS program remains unclear. EPIC filed the lawsuit after the DHS failed to reply to an April 2011 FOIA request. For more information, see EPIC: Social Networking Privacy.

Without user consent, Facebook announced today that it would post archived user information, making old posts available under Facebook's current downgraded privacy settings. Users have just a week to clean up their history before Timeline goes live. The surprising announcement follows a recent decision by the Federal Trade Commission which found that the company had engaged in "unfair and deceptive" trade practices when it changed the privacy settings of its users. EPIC initiated that complaint and is now urging FB users to submit comments to strengthen the proposed settlement. For more information, see EPIC - In Re Facebook and EPIC - Facebook and Privacy.

EPIC launched the "Fix FB Privacy Fail" campaign to encourage the public to support improvements to a settlement between Facebook and the FTC. The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 over Facebook’s decision to change its users' privacy settings in a way that made users' personal information more widely available to the public and to Facebook's business partners. Although the proposed settlement is far-reaching, there are several ways in which it could be improved. EPIC has recommended that the FTC require Facebook to restore the privacy settings users had in 2009; give users access to all of the data that Facebook keeps about them; stop making facial recognition profiles without users' consent; make the results of the government privacy audits public; and stop secretly tracking users across the web. The period for public comment on the proposed settlement ends on December 30. The campaign also allows users to sign on to the petition without using Facebook. For more information, see EPIC: FTC Facebook Settlement.

The Federal Trade Commission has announced an agreement with Facebook that follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010. In 2009, the EPIC first asked the FTC to investigate Facebook's decision to change its users' privacy settings in a way that made users' personal information, such as Friend lists and application usage data, more widely available to the public and to Facebook’s business partners. The violations are also detailed in the FTC’s 8-count complaint against the company. The proposed settlement agreement bars Facebook from making future changes privacy settings without the affirmative consent of users and requires the company to implement a comprehensive privacy protection program and submit to independent privacy audits for 20 years. The settlement does not adopt EPIC's recommendation that Facebook restore users' privacy settings to pre-2009 levels. Facebook CEO Mark Zuckerberg reacted to the settlement in a post on Facebook's blog, saying that he was "first to admit that we've made a bunch of mistakes." For more information, see EPIC: In re Facebook, and EPIC: Federal Trade Commission.

The Federal Trade Commission has scheduled a 1:00 pm EDT press conference to announce a privacy settlement with Facebook, following a complaint that was filed by EPIC and other consumer and privacy organizations. More news to follow.

The Federal Trade Commission has issued the 2011 Performance and Accountability Report. The report summarizes the agency’s accomplishments, shows how the agency has managed its resources, and explains how it plans to address future changes. According to the FTC, during 2011 the agency exceeded its privacy goals by providing 52 comments to foreign consumer protection and privacy agencies, conducting 14 technical assistance missions, and hosting one international consumer protection fellow. The agency’s privacy goals for the coming year include "issu[ing] a final report on protecting consumer privacy," and "examin[ing] malware and spyware threats to mobile devices . . . and malware distributed through social networks." The FTC report made no mention of several pending complaints, including EPIC's 2009 complaint regarding the changes by Facebook to its users' privacy settings. For more information, see EPIC: Federal Trade Commission and EPIC: Facebook and Facial Recognition.

The Wall Street Journal reports that the Federal Trade Commission is finalizing a settlement with Facebook that follows from a complaint from EPIC and a coalition of US consumer and privacy organizations. In 2009, the organizations urged the Commission to investigate Facebook's decision to change its users' privacy settings which made the personal information of Facebook users more widely available to Facebook's business partners and the public. According to the Wall Street Journal, the settlement would require Facebook to obtain "express affirmative consent" if Facebook makes "material retroactive changes," and to submit to independent privacy audits for 20 years. For more information, see EPIC: In re Facebook, EPIC: Facebook Privacy and EPIC: Federal Trade Commission.

Lawmakers in Washington have sent a letter to Mark Zuckerberg, Facebook's CEO, asking questions about the company's data retention practices, following a news report that a single European Facebook user obtained more than 1,200 pages of his own personal data from the company, including information that he had previously deleted. Following an effort of privacy advocates in Europe, EPIC has launched the KWTK (Know What They Know) campaign and is urging Facebook users to obtain their complete "data dossier" from the company. For more information, see EPIC: Facebook Privacy and EPIC:#kwtk.

Senator John D. Rockefeller (D-WV) sent a letter requesting that the Federal Trade Commission assess the use of facial recognition technology and recommend legislation to protect privacy. Facial recognition technology is being used by technology firms and also police agencies, which has raised civil liberties concerns. The letter cited mobile applications such as SceneTap, which "tracks the male/female ratio and age mix of the crowd [in bars]" and digital advertising at the Venetian Resort in Las Vegas that tailors ads to the person standing in front of the display based on recognition of that person’s age and gender. The FTC will hold a workshop on facial recognition technology on December 8, 2011. EPIC's complaint regarding Facebook's facial recognition is still pending before the FTC. For more information, see EPIC: In re Facebook, and EPIC: Facial Recognition.

EPIC, joined by other privacy, consumer, and civil liberties groups, which include the American Civil Liberties Union, Consumer Action, American Library Association, and the Center for Digital Democracy asked the Federal Trade Commission to investigate Facebook. Facebook had been secretly tracking users after they logged off of Facebook’s webpage, and had recently announced changes in business practices that “[gave] the company far greater ability to disclose the personal information of its users to its business partners...” EPIC’s complaint regarding Facebook’s facial recognition is still pending before the FTC. For more information, see EPIC: Facebook Privacy and EPIC: Federal Trade Commission.

The Federal Trade Commission announced that it will host a workshop on December 8, 2011, on the privacy and security issues raised by the increasing use of facial recognition technology. Facial recognition technology has been used by Facebook to build a secret data base of users’ biometric data and to enable Facebook to automatically tag users in photos. The Army has also used facial recognition technology to collect biometric data from Iraqi and Afghan civilians at checkpoints, workplaces, the sites of attacks, and door-to-door canvasses. EPIC, Privacy International, and Human Rights Watch wrote to the US Secretary Defense in 2007 to warn that the system could lead to reprisals and further killings. Police agencies are also using facial recognition to identity political protesters. EPIC’s complaint regarding Facebook’s facial recognition is still pending before the FTC. For more information, see EPIC: In re Facebook, EPIC: Face Recognition, and EPIC: Iraqi Biometric Identification System.

In response to several complaints filed by EPIC with the Federal Trade Commission, Facebook announced that it would make some changes in its business practices, including providing more accurate information about the disclosure of user data to others and new safeguards for photo tagging. EPIC, along with several privacy organizations, filed several complaints with the FTC about FB's automated tagging of users, changes in Privacy settings, and transfers of personal data, stating that Facebook's practices were "unfair and deceptive." Facebook's recent actions address some but not all of the issues raised by the consumer organizations. The complaint at the FTC are still pending. For more information see EPIC: Facebook Privacy.

In response to a letter from the Connecticut Attorney General, Facebook agreed to run ads that link users to their privacy settings and show them how to opt-out of Facebook's facial recognition program. The ads are new, but Facebook has failed to implement an opt-in model for its facial recognition technology. EPIC, along with several other organizations, filed a complaint with the Federal Trade Commission concerning Facebook's unfair and deceptive trade practices regarding biometric data collection. EPIC urged the FTC to require Facebook to suspend the program pending a full investigation. EPIC also urged the Commission to require Facebook to establish stronger privacy safeguards and an opt-in regime for the facial recognition scheme. For more information, see EPIC: In re Facebook and the Facial Identification of Users.

Congressman Ed Markey today expressed support for the complaint filed last week by EPIC and privacy groups concerning Facebook's new scheme for online tagging. In a published statement, Congressman Markey said, "The Federal Trade Commission should investigate this important privacy matter, and I commend the consumer groups for their filing. When it comes to users’ privacy, Facebook’s policy should be: 'Ask for permission, don’t assume it.' Rather than facial recognition, there should be a Facebook recognition that changing privacy settings without permission is wrong. I encourage the FTC to probe this issue and will continue to closely monitor this issue." EPIC and consumer groups now have several complaints regarding Facebook pending at the FTC. For more information, see EPIC - In re Facebook and EPIC - In re Facebook II, and EPIC - Facebook and Privacy.

Today EPIC, and several privacy organizations, filed a complaint with the Federal Trade Commission about Facebook's automated tagging of Facebook users. EPIC alleged that the service was unfair and deceptive and urged the FTC to require Facebook to suspend the program, pending a full investigation, the establishment of stronger privacy standards, and a requirement that automated identification, based on user photos, require opt-in consent. EPIC alleged that "Users could not reasonably have known that Facebook would use their photos to build a biometric database in order to implement a facial recognition technology under the control of Facebook." EPIC warned that "absent injunctive relief by the Commission, Facebook will likely expand the use of the facial recognition database it has covertly established for purposes over which Facebook users will be able to exercise no meaningful control." EPIC has previously filed twocomplaints with the Commission regarding Facebook. For more information see EPIC: Facebook Privacy.

Facebook indicated in a letter to Rep. Markey (D-MA) and Rep. Barton (R-TX) that it will go forward with a proposal to provide users' addresses and mobile phone numbers to third-party application developers. The Congressman earlier expressed concern about the proposal. Facebook also wrote that it may disclose the home addresses and mobile numbers of minors who use the social networking service. Facebook suspended the plan after EPIC and others objected. EPIC and several consumer organizations have complaints pending at the Federal Trade Commission concerning Facebook's earlier changes to users' privacy settings. For more information, see EPIC: In re Facebook, EPIC: In re Facebook II, and EPIC: Facebook Privacy.

Facebook will now allow full-session HTTPS. The switch to encrypted cloud-based computing promotes privacy and security, particularly when users access Facebook from public Internet access points. Previously, Facebook only used HTTPS when users’ passwords were being sent to the site. Third party applications currently do not support HTTPS. Users can opt into HTTPS through their “Account Settings;” however, HTTPS is not yet the default. Facebook will use "social authentication, rather than traditional CAPTCHA," to deter hackers. EPIC has previously recommended the adoption of strong privacy techniques for cloud-based services. In 2009, EPIC filed a complaint with the Federal Trade Commission, urging an investigation into Google’s cloud computing services to determine the adequacy of privacy and security safeguards. Google subsequently established HTTPS by default for Gmail. For related information, see EPIC: Facebook, EPIC: Cloud Computing, and EPIC: Social Networking Privacy.

A letter from Rep. Ed Markey (D-MA) and Rep. Joe Barton (R-TX) to Mark Zuckerberg asks about Facebook's plans to make users' addresses and mobile phone numbers available to websites and application developers. Facebook suspended the plan after EPIC and others objected. EPIC Executive Director Marc Rotenberg said that "Facebook is trying to blur the line between public and private information. And the request for permission does not make clear to the user why the information is needed or how it will be used." EPIC, and several consumer organizations, have complaints pending at the Federal Trade Commission concerning Facebook's earlier changes to users' privacy settings. For more information, see EPIC: In Re Facebook, EPIC: In Re Facebook II, and EPIC: Facebook Privacy.

Facebook has retreated from its decision to allow third-party access to users home addresses and phone numbers. Facebook backed off after criticism of the new policy, but said it would go forward once it has made further changes. EPIC Executive Director Marc Rotenberg said "Facebook is trying to blur the line between public and private information. And the request for permission does not make clear to the user why the information is needed or how it will be used." EPIC, and several consumer organizations, have complaints pending at the Federal Trade Commission concerning Facebook's earlier changes to users' privacy settings. For more information, see EPIC: In Re Facebook, EPIC: In Re Facebook II, and EPIC: Facebook Privacy.

Congressmen Ed Markey (D-MA) and Joe Barton (R-TX) sent a letter to Facebook about the news that Facebook's business partners transmitted personal user data to advertising and internet tracking companies in violation of the company's policy. EPIC has two complaints pending at the Federal Trade Commission regarding Facebook's unfair and deceptive trade practices. For more information, see EPIC: In Re Facebook, EPIC: In Re Facebook II, and EPIC: Facebook Privacy.

At the Coca-Cola Village Amusement Park in Israel, visitors were recently issued bracelets with RFID chips that linked to their Facebook accounts, according to Adland. RFID readers scattered throughout the park updated the users' Facebook pages when the bracelets were scanned. On-site photographers also posted photos that were automatically tagged with the users' identities. Facebook had previously tested the use of RFID for location tracking at the f8 Developer Conference in April. Facebook has also just launched Places, which is designed to make users' location information widely available. For more information, see EPIC Facebook Privacy, EPIC Facebook Places.

The recently announced Facebook service Places makes user location data routinely available to others, including Facebook business partners, regardless of whether users wish to disclose their location. There is no single opt-out to avoid location tracking; users must change several different privacy settings to restore their privacy status quo. For users who do not want location information revealed to others, EPIC recommends that Facebook users: (1) disable "Friends can check me in to Places," (2) customize "Places I Check In," (3) disable "People Here Now," and (4) uncheck "Places I've Visited." EPIC, joined by many consumer and privacy organizations, has two complaints pending at the Federal Trade Commission concerning Facebook's unfair and deceptive trade practices, which are frequently associated with new product announcements. For more information, see EPIC In Re Facebook, EPIC In Re Facebook II, and EPIC Facebook Privacy.

In prepared testimony (PDF) for a Congressional hearing on "Online Privacy, Social Networking and Crime Vicitimization," EPIC Executive Director Marc Rotenberg urged lawmakers to update federal law to protect the privacy of Facebook users. Mr. Rotenberg said that Facebook's constant changes to the privacy settings of users have made it virtually impossible for users to control who gets access to their personal information. He also said that the failure of the Federal Trade Commission to investigate Facebook's business practices means that Congress must now amend the federal privacy law to limit the ability of Social Network companies to disclose user information to third parties without informed and explicit consent. Also testifying at the hearing are witnesses from the FBI, the Secret Service, Symantec, and Facebook. For more information, see EPIC Social Networking Privacy, EPIC Facebook, and EPIC In re Google Buzz.

In a recent study by Foresee Results and the University of Michigan, Facebook has scored extremely low in the area of customer satisfaction. The 2010 American Customer Satisfaction Index E-Business Report included social networking companies for the first time, and Facebook scored a 64, putting it "in the bottom 5% of all measured private sector companies and in the same range as airlines and cable companies." The polling company attributed Facebook's low scores to "privacy concerns, frequent changes to the website, and commercialization and advertising." For more information, see EPIC Facebook Privacy and EPIC Public Opinion on Privacy.

The FTC announced a significant enforcement action today. The Commission's complaint against Twitter charged that "serious lapses in the company's data security allowed hackers to obtain administrative control of Twitter." The FTC found that the lax practices allowed access to nonpublic tweets even though the company assured users in its privacy policy that it was "very concerned about safeguarding the confidentiality of your personally identifiable information." Under the terms of the settlement, "Twitter will be barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information." EPIC has two complaints currently pending at the FTC concerning similar practices by Facebook, another social networking service. For more information, see EPIC - Facebook Privacy, EPIC - In re Facebook I, and EPIC - In re Facebook II.

EPIC has joined a letter, organized by the ACLU of Northern California, calling for Facebook to fix ongoing privacy problems with the social network service. The letter, signed by several privacy organizations, recommends that Facebook make "Instant Personalization" opt-in, limit data retention, give users greater control over their information, and allow users to export their content from Facebook. EPIC has a complaint currently pending at the Federal Trade Commission, charging that Facebook has engaged in unfair and deceptive trade practices. For more information, see EPIC Facebook Privacy.

Facebook privacy has become a hot topic in the California race for Attorney General. In the Democratic primary, Kamala Harris has attacked former Facebook Chief Privacy Officer Chris Kelly over the company's privacy practices. But Kelley has recently criticized some of the Facebook changes and said that "instant personalization" should be opt-in. Kelly has also supported a Moveon Facebook campaign though some bloggers have doubts. During the last election cycle, EPIC launched PRIVACY08 to encourage candidates to debate privacy issues. Also see EPIC Facebook Privacy.

Following similar letters from other Congressional leaders, the head of the House Judiciary Committee has asked Google Inc. and Facebook to cooperate with government inquiries into privacy practices at both companies. Rep. Conyers (D-MI) noted that Google's collection of user data "may be the subject of federal and state investigations" and asked Google to retain the data until "such time as review of this matter is complete." Rep. Conyers also asked Facebook to provide a detailed explanation regarding its collection and sharing of user information. The House Judiciary Committee is expected to hold hearings on electronic privacy later this year. For more information, see EPIC: Facebook Privacy, EPIC: In re Facebook II, and EPIC: Search Engine Privacy.

Today, EPIC and 14 privacy and consumer protection organizations filed a complaint with the Federal Trade Commission, charging that Facebook has engaged in unfair and deceptive trade practices in violation of consumer protection law. The complaint states that changes to user profile information and the disclosure of user data to third parties without consent "violate user expectations, diminish user privacy, and contradict Facebook’s own representations." The complaint also cites widespread opposition from Facebook users, Senators, bloggers, and news organizations. In a letter to Congress, EPIC urged the Senate and House Committees with jurisdiction over the FTC to monitor closely the Commission's investigation. The letter noted the FTC's failure to act on several pending consumer privacy complaints. For more information, see EPIC: Facebook Privacy.

Senators Charles Schumer (D-NY), Michael Bennet (D-CO), Mark Begich (D-AK), and Al Franken (D-MI) have sent a letter to Facebook CEO Mark Zuckerberg to express concern about "recent changes to the Facebook privacy policy and the use of personal data by third-party websites." Senator Schumer has also asked the Federal Trade Commission to establish guidelines for social networking sites. The Senators' statements came after Facebook announced it would disclose user data to websites without consent. Senator Schumer stated "Previously, users had the ability to determine what information they chose to share and what information they wanted to keep private." EPIC has filed a complaint and with the FTC about the recent changes to Facebook's privacy settings. For more information, see EPIC: Facebook Privacy and EPIC: In re Facebook.

Facebook announced significant changes at F8 this week that will integrate Facebook with many web sites, but also make it more difficult for Facebook users to limit the disclosure of personal information. The announcement follows recent changes to Facebook privacy settings and privacy policies. "Instant personalization" will give Facebook's business partners access to users' likes, interests, friends, and other details, unless users opt-out. Facebook has also removed a key privacy safeguard and will allow third parties to store user data indefinitely. EPIC has a complaint pending at the FTC concerning recent changes to Facebook's privacy settings. For more information, see EPIC: Facebook Privacy and EPIC's Previous FTC Complaint regarding Facebook, EPIC: In re Facebook.

Faceboook has announced "another set of revisions" to its privacy policy. The changes appear to make it easier for Facebook to gather locational data on users and to disclose user data to third-party web sites. It also appears that Facebook will make more use of data set to "Everyone." Facebook is soliciting comments on the changes. In December, EPIC filed a complaint with the FTC regarding the last series of changes to the Facebook privacy settings. EPIC, joined by nine other privacy and consumer organizations, said that the "changes violate user expectations, diminish user privacy, and contradict Facebook’s own representations." The FTC responded that the EPIC complaint "raises issues of paricular interest" to the Commission. For more information on the ever-changing Facebook privacy policy, see EPIC Facebook Privacy and EPIC In re Facebook.

At the third FTC Privacy Roundtable, EPIC senior counsel John Verdi will recommend that the Commission push forward with effective and meaningful privacy safeguards for American consumers. Mr. Verdi will say that the "notice and choice" approach has failed, and will recommend that the FTC enforce Fair Information Practices, such as the OECD Privacy Guidelines. The discussion can be viewed via webcast. Additional information on the FTC roundtable event can be found here. For more information, see EPIC In re Google Buzz, EPIC In re Facebook, and EPIC In re Google and Cloud Computing.

Following a hearing last week, U.S. District Court Judge Seeborg reserved decision about the approval of Facebook’s proposed 9.5 million dollar settlement in a case involving Facebook Beacon. According to the settlement terms, Facebook would contribute about $6 million to the establishment of a privacy organization. Facebook, however, would maintain control over this organization, as Facebook's top lobbyist would become co-President and all significant decisions would require a unanimous vote. EPIC and several other privacy organizations, including the Consumer Federation of America and the Privacy Rights Clearinghouse, have written a letter to Judge Seeborg, ask him to reject the settlement as proposed. For more information, see EPIC: Facebook Privacy.

Ponemon Institute released its annual study identifying the top twenty companies that are most trusted for privacy. American Express was ranked first, earning the Most Trusted for Privacy distinction for the fifth year in a row. Facebook suffered several privacy missteps over the last year, including a recent change in privacy settings at the end of 2009, and as a result, failed to make the 2010 list. Google, however, returned to the Top 20, ranked at 13. The survey also produced significant findings regarding consumer attitudes towards privacy, including the finding that consumers feel they are losing control over their personal information. Further, the responses revealed that consumers’ fear of identity theft is the main factor for brand trust diminishment, while a company’s implementation of privacy features contribute to brand trust. Other significant positive factors were limits on the collection of personal information and online anonymity.

Facebook users filed papers in federal court objecting to a proposed deal that would extinguish the company's liability for disclosing personal information in violation of federal law. Users criticized the class action settlement, stating "the class receives no meaningful relief." Other objectors alleged "in effect, Facebook is paying itself the benefit but class members are releasing their individual privacy claims." EPIC previously submitted a letter to the judge hearing the case. EPIC's letter opposes the settlement and proposes alternatives that would enable stronger privacy safeguards for Facebook users in the future. For more information, see EPIC Facebook Privacy, EPIC Harris v. Blockbuster.

EPIC submitted comments to the FTC prior to the agency’s second privacy roundtable. EPIC warned of the ongoing privacy risks associated with cloud computing and social networking privacy, highlighting the Google cloud computing complaint and Facebook privacy complaint filed by EPIC in 2009. The comments note that the FTC has failed to take any meaningful action with respect to either complaint, demonstrating the Commission's “lack of leadership and technical expertise.” EPIC's comments also draw attention to the success of international privacy initiatives, in hopes of encouraging the FTC to take meaningful action to protect American consumers. For more information, see EPIC: Cloud Computing and EPIC: Social Networking Privacy.

EPIC and other privacy groups sent a letter to the federal judge overseeing a class-action settlement against Facebook in California, opposing the settlement as unfair and unreasonable. As proposed, the settlement does not provide any benefit for Facebook users whose private data was illegally exposed by Facebook "Beacon." Instead, the deal would create a new "privacy foundation" subject to Facebook's influence. Fair settlements typically provide compensation to class members or a remedy that addresses the underlying harm, which in this case was a violation of federal privacy law. The letter from EPIC proposes alternatives that would enable stronger privacy safeguards for Facebook users in the future. For more information, see EPIC Facebook Privacy, EPIC Harris v. Blockbuster.

The FTC has sent a letter to EPIC regarding the December 2009 complaint, submitted by privacy organizations, about Facebook’s recent changes to user privacy settings. In the letter, the Bureau of Consumer Protection Director states that the complaint “raises issues of
particular interest” for the FTC. Further, Vladeck stresses the importance of providing “transparency about how this data is being handled, maintained, shared, and protected . . . .” The Commission, however, cannot confirm or deny whether an investigation has been launched. The letter came one day before EPIC filed a supplemental complaint regarding Facebook’s privacy practices. For more information, see EPIC: In re Facebook.

EPIC and several other groups filed a supplement to the groups' original complaint with the Federal Trade Commission concerning Facebook’s recent privacy changes. The new complaint provides additional evidence of Facebook’s unfair and deceptive trade practices relating to Facebook CEO's public statements, the most recent version of the Facebook for iPhone application, Facebook Connect, and "web-suicide" applications. The complaint also offers numerous examples of media stories and blog posts in support of an investigation by the Federal Trade Commission into Facebook’s unfair and deceptive trade practices. For more information, see EPIC: In re Facebook.

Facebook is asking users to review and update their privacy settings. However, the privacy recommendations, suggested by Facebook, may result in greater disclosure than users intend. Facebook faces ongoing privacy scrutiny following Beacon, proposed changes to the Terms of Services, and a settlement now pending in California. EPIC has urged Facebook to respect user privacy settings. EPIC is also defending the privacy rights of Facebook users who participated in Beacon. For more information, see EPIC: Facebook Privacy.

Facebook announced that it intends to eliminate regional networks, which allow users to restrict information shared with others based geography. The social networking service will also modify the site's privacy settings and require users to update the rules governing who can access their data. In February, revisions to Facebook's terms of service prompted users to revolt and Facebook to rescind the changes hours before EPIC planned to file a complaint with the Federal Trade Commission. Prior changes to the service resulted in disclosure of Facebook users' video rental records without their permission, prompting federal lawsuits. For more, see EPIC Facebook Privacy and Social Networking Privacy

Today, EPIC filed a friend of the court brief with the Fifth Circuit Court of Appeals, urging the Court to enforce federal privacy protections for Facebook users who rented videos from Blockbuster, a Facebook business partner. The Video Privacy Protection Act prohibits companies from revealing consumers' video rental histories. EPIC wrote, "Congress established a private right of action to ensure that there would be a meaningful remedy when companies failed to safeguard the data they collected" and warned, "absent a private right of action, there would be no effective enforcement, no remedy for violations, and no way to ensure that companies complied with the intent of the Act." The lawsuit was filed by Cathryn Harris and other Facebook users after Blockbuster made public their private video rental information. Blockbuster, a participant in Facebook's Beacon program, claimed that consumers cannot sue the company and must submit to mandatory arbitration. EPIC's brief, which includes a detailed history of the video privacy law, urges the appeals court to uphold a lower court ruling, which held that the plaintiffs are allowed to pursue their claim that a federal law was violated. For more information, see EPIC Harris v. Blockbuster, EPIC The Video Privacy Protection Act, and EPIC Facebook Privacy.

Facebook released a revised privacy policy. The updated policy provides a more concise description of the privacy practices of the developers of third-party applications. Facebook also announced that it will evaluate the collection of user data by application developers. According to a blog post, the revised policy is a response to a complaint filed by Canadian Internet Policy and Public Interest Clinic in 2008, and attempts to “[fulfill] our commitment to the Privacy Commissioner of Canada to update our privacy policy to better describe a number of practices.” Concerns remain about the use of Facebook users' data. For more information, see EPIC Facebook Privacy.

In mid-July, the Canadian Privacy Commissioner released a report recommending several changes to Facebook's business practices. The Commissioner's Office advised the social networking firm to limit application developers' access to user information, and inform users specifically about the nature and use of shared information. The Office also said that deactivated account information should be deleted, and that the privacy policy be amended to include all intended uses of personal information. Facebook was given 30 days. Facebook updated its privacy policy last week and has asked application developers to respect user privacy settings. See also EPIC Facebook and EPIC Social Network Privacy.

EPIC submitted a Freedom of Information Act request to the Government Services Administration seeking agency records concerning agreements the GSA negotiated between federal agencies and social networking services, including Flickr, YouTube, Vimeo, Blip.tv, and Facebook. In the FOIA request, EPIC is asking for the public release of the contracts and any legal opinions concerning the application of the Privacy Act of 1974 and Freedom of Information Act to the services that collect information on citizens. For more information see EPIC’s pages Social Networking, Facebook, and Cloud Computing.

Facebook has announced the results of the vote on site governance. The initial outcome indicates that approximately 75 percent of users voted for the new terms of service which includes the new Facebook Principles and Statement of Rights and Responsibilities. Under the new Principles, Facebook users will "own and control their information." Facebook also took steps to improve account deletion, to limit sublicenses, and to reduce data exchanges with application developers. EPIC supports the adoption of the new terms. For more information, see EPIC's page on Social Networking Privacy.

Significant Facebook Features and Policies

Facebook has several features with a significant impact on privacy and security of personal information. These features raise issues of data collection, retention, distribution and control. The various privacy issues raised may in some cases have legal consequences.

Account Creation

Facebook does not permit the privacy enhancing techniques of pseudonymous logins or the creation of multiple profiles. Facebook's terms require users to provide "accurate, current and complete" information when registering for the site. This means that a user must provide accurate information for their name, date of birth, and school and work affiliation. Facebook's terms require users to agree not to "register for more than one User account, register for a User account on behalf of an individual other than yourself," or "falsely state or otherwise misrepresent yourself, your age or your affiliation with any person or entity." Users are thus forbidden from having several profiles for different social circles, such as for friends, professional colleagues, teachers and family. Users must have a single identity across all those social interactions. Since they must accurately give Facebook their name and date of birth, this single identity is required to be tied to their real life identity.

Account Deletion

Facebook offers no way to conveniently delete one's account once one has created a profile. Facebook does offer that an account can be "deactivated." Once deactivated, Facebook says that a deactivated account cannot be seen or found by others:

Deactivation will completely remove your profile and all associated content on your account from Facebook. In addition, users will not be able to search for you or view any of your information. If you reactivate your account, your profile will be restored in its entirety (friends, photos, interests, etc.).

Reactivating an account is done by logging in again with the same username and password. This means that all of the information that the user has uploaded is retained by Facebook. Facebook does permit users to delete items such as wall posts, photos, friends and profile information. This has to be done via Facebook's interface, and must be done one item at a time.

Facebook reserves the right to delete your account. According to their terms, Facebook "may terminate your membership, delete your profile and any content or information that you have posted on the Site or through any Platform Application . . . for any reason, or no reason, at any time in its sole discretion, with or without notice . . . ."

Tagging

Facebook users can add metadata tags to photographs. These tags can be identified to particular areas of the photograph. So a picture of a family in front of a landmark can have the individual faces of family members tagged with their names, and the landmark tagged with its name. When the image is displayed, the tags become hyperlinks to the profile of the subject of the tag. If the subject of the tag is not a Facebook member, then the tag remains in plain text, not linking to anything. When photos of a person are displayed, this display includes their own photographs and those published by others and tagged with that person's name. When a user views an image that has been tagged with that user's name by another, the user has the option of removing the tag. A user is given a brief notice when others tag images with that user's name.

Contact Importer

Facebook users are invited by Facebook to "[f]ind out which of your email contacts are on Facebook." Facebook asks users for their email address and password for many of the major providers of webmail services (Yahoo, Hotmail, Gmail, etc...). Facebook then logs on to the account, and downloads all the contacts there. Facebook can also import email contacts from applications such as Outlook and Thunderbird. Users are then shown a list of which individuals are current Facebook members, and have the choice of sending friend requests to each of them. The screen comes with all the contacts pre-selected. The user is then given the option of inviting all of their other contacts to join Facebook. Again, all of the contacts are pre-selected. The default behavior is to send messages to all of one's contacts inviting them to become friends on Facebook.

Example of the contact importer.

Facebook promises not to retain the user's password and login. Facebook does not explain what happens to the emails collected, or to the association of those emails as "contacts" of a given user. The email addresses can be of significant value. As known contacts of a real person, a person knows that that email address is "live" and thus valuable to email harvesters.

Feed

Facebook users see a news feed when they log into their accounts. The news feed contains items about a Facebook user's friends as well as some advertisements. Some of a user's personal information is published to their friends' news feeds.

The feed was introduced in September 2006. When first introduced users had no control over what information was published to the Feed. Facebook users protested the privacy invasion, demanding control over their data. Facebook users were responding to the broadcast of their data, to Facebook making it more easily available. Seven hundred thousand users joined a group protesting the feed. Facebook users also created a petition to Facebook Administrators:

Whereas Facebook.com is a social networking Web site and utility owned as a private company started in February 2004 by Mark Zuckerberg;

Whereas Facebook.com is a useful and entertaining tool for those on its networks;

Whereas the users on Facebook.com support the site's stated philosophy of helping people spread information through social networks;

Whereas the users on Facebook.com understand the privacy settings and their role in protecting personal, private information;

Whereas drastic changes were make to Facebook.com on September 5, 2006, including the introduction of the "News Feed" and "Mini Feed" that call into question the safety and privacy of its more than 9 million users;

Whereas there has been an unprecedented outpouring of opposition to the changes within the community;

Whereas many users feel uncomfortable participating on Facebook.com because of the changes to the point that some have deactivated their accounts;

We, the Facebook.com user community:

--Encourage Facebook.com administrators to actively communicate and consult with users in a democratic dialogue concerning any current and future changes.

AND:

--Demand the immediate removal of the "news feed" and "mini feed" feature from Facebook.com.

OR:

--Allow an individual to remove himself or herself from the "news feed" and "mini feed" feature on other users' page.
--Allow an individual to remove his or her own personal "news feed" and "mini feed" feature from his or her personal profile.

Facebook responded by creating some opt-outs for the feed, and its CEO Mark Zuckerberg apologized on the Facebook blog. As Facebook's Feed privacy page explains: "Stories are published when you edit your profile information, join a new network, or update your Status." A user can opt out of other information being published to their feed, such as changes in relationship status or the addition of a friend.

Other Facebook features also publish information via the news feed. Consequently, not all privacy controls related to feeds is controlled by the Feed section of the privacy page. Applications, Social Ads, and Facebook Beacon all communicate via the News Feed. User control, if any, of those information flows is located in pages devoted to those features, not the feed.

Users can also influence what items of their friend's personal information are presented to them. They can select that stories about some friends get published more or less frequently. They can also select what types of stories they are interested in, such as relationship news, changes in profile data, or the addition of new friends. This will cause these events to show up on their feed more or less often.

Platform Application Programming Interface (API)

In May 2007, Facebook launched the Facebook Platform. The platform allows third parties to create applications which access Facebook's database. The applications are meant to function in much the same way that the Facebook created applications work. Applications can publish to a user's feed and can access that user's information. When a user adds an application, the information about other users that the given user can see is made available to these third party application providers. The third party application provider may retain some of this information forever, and some information may be retained for a limited time.

Since the applications are developed and hosted by third parties, their algorithms necessarily involve the flow of personal information from Facebook to the application host and developer. When installing an application users are asked briefly a few choices about the application, such as whether they want it to know who they are, take up space on their profile, or publish information to the user's feed. The choices are all pre-selected.

Example of the addition of the Blackjack application.

The information that the application accesses includes everything about a user and what they can see, except for their contact information such as email address, phone number and postal address. The terms the user is agreeing on by clicking "add" includes examples of this information:

Examples of Facebook Site Information. The Facebook Site Information may include, without limitation, the following information, to the extent visible on the Facebook Site: your name, your profile picture, your gender, your birthday, your hometown location (city/state/country), your current location (city/state/country), your political view, your activities, your interests, your musical preferences, television shows in which you are interested, movies in which you are interested, books in which you are interested, your favorite quotes, the text of your "About Me" section, your relationship status, your dating interests, your relationship interests, your summer plans, your Facebook user network affiliations, your education history, your work history, your course information, copies of photos in your Facebook Site photo albums, metadata associated with your Facebook Site photo albums (e.g., time of upload, album name, comments on your photos, etc.), the total number of messages sent and/or received by you, the total number of unread messages in your Facebook in-box, the total number of "pokes" you have sent and/or received, the total number of wall posts on your Wall(TM), a list of user IDs mapped to your Facebook friends, your social timeline, and events associated with your Facebook profile.

Significantly, applications do not only access the information about a given user that has added the application. Applications by default get much of the information about that user's friends and network members that the user can see. So without any action from a user, an individual that has never joined any applications will have their information sent to the third party application when their friends or associates in their networks join.

Default settings for what is shared to applications one has never added, including photos, relationships and other history.

Facebook disclaims all risk from how the application uses the data, and in its terms states that users release and hold harmless Facebook for any damages from installing or using applications. Facebook also says that it may change its policy at any time by changing the terms on its website. Users have no enforcement other than to remove the application.

Though Facebook disclaims its own risks, and states that users have no recourse, Facebook imposes some terms on how developers may use users' information:

You must treat users' privacy with the same respect we do. If you directly collect personally identifiable information from users, you must post a privacy policy detailing what you'll do with that info.

You must be honest and accurate about what your application does and how it uses information from Facebook users. Your application cannot falsely represent itself.

You can only show information from Facebook Platform to a user if you retrieved it on behalf of that particular user.

You can only cache user information for up to 24 hours to assist with performance. The only exceptions are those listed in the Facebook Platform Documentation.

Values that can be stored indefinitely include User ID; Primary network ID; Event ID; Group ID; Photo ID; Photo album ID; Total number of notes written by the user; and Time that the user's profile was last updated. Any information that the application develops or collects on its own can be forever kept and associated with the above information. For example, the blackjack application above may generate a win/loss record for a user. The application is permitted to indefinitely store the User ID and associate that with that user's performance in blackjack.

Public Search Listing

In September of 2007, Facebook introduced public search listings. Previously, only Facebook members could search Facebook for other users. Now, non-members will be able to search. Further, major search engines such as yahoo and Goggle will index the public search listings. The listing shows a limited amount of information such as name, profile picture, and Friends.

Example of a public search listing, provided by Facebook.

This change exposes Facebook members to the general Internet. The information was exposed without the explicit permission of Facebook users. The change was announced via the Facebook blog, and users were given about 30 days to opt-out before the information reached major search engines.

Social Ads and Pages

Facebook's Social Ads and pages launched in November of 2007. Pages permit advertisers and businesses to have a presence on Facebook similar to Facebook users. Advertisers can create fan clubs, videos, and other interactions with users. When users interact with an advertiser page, this generates a message to that user's feed, alerting that user's friends to this interaction. Facebook describes this as similar to "word of mouth" advertising, except that Facebook is creating the words and publishing the information based on a user's lone interaction with the page.

Facebook's social ads launch when users interact with a page. The social ad includes the interaction with the page, plus text provided by the advertiser, and the user's name and profile picture. This entire message is displayed in the feed of the user's friends. The ads can also demographically targeted, aiming at users of a certain location, age or sex, or many of the other demographic criteria that users have submitted in their profile.

Example of a Social ad. After the user rates a movie, that user's friends are shown the rating, the movie,
the user's name and picture, and are invited to join the advertiser's service. Image from Facebook

One who appropriates to his own use or benefit the name or likeness of another is subject to liability to the other for invasion of his privacy.
Comments:
a. The interest protected by the rule stated in this Section is the interest of the individual in the exclusive use of his own identity, in so far as it is represented by his name or likeness, and in so far as the use may be of benefit to him or to others. Although the protection of his personal feelings against mental distress is an important factor leading to a recognition of the rule, the right created by it is in the nature of a property right, for the exercise of which an exclusive license may be given to a third person, which will entitle the licensee to maintain an action to protect it.

b. How invaded. The common form of invasion of privacy under the rule here stated is the appropriation and use of the plaintiff's name or likeness to advertise the defendant's business or product, or for some similar commercial purpose. Apart from statute, however, the rule stated is not limited to commercial appropriation. It applies also when the defendant makes use of the plaintiff's name or likeness for his own purposes and benefit, even though the use is not a commercial one, and even though the benefit sought to be obtained is not a pecuniary one. Statutes in some states have, however, limited the liability to commercial uses of the name or likeness.

Another applicable legal principle is the Right of Publicity, from the Third Restatement on Unfair Competition § 46:

One who appropriates the commercial value of a person's identity by using without consent the person's name, likeness, or other indicia of identity for purposes of trade is subject to liability. . . .

The actual application of the tort will vary from state to state, in some cases being a part of the common law, and in some cases part of statute. For example California Civil Code § 3344(a) states:

Any person who knowingly uses another's name, voice, signature, photograph, or likeness, in any manner, on or in products, merchandise, or goods, or for purposes of advertising or selling, or soliciting purchases of, products, merchandise, goods or services, without such person's prior consent, or, in the case of a minor, the prior consent of his parent or legal guardian, shall be liable for any damages sustained by the person or persons injured as a result thereof. In addition, in any action brought under this section, the person who violated the section shall be liable to the injured party or parties in an amount equal to the greater of seven hundred fifty dollars ($750) or the actual damages suffered by him or her as a result of the unauthorized use, and any profits from the unauthorized use that are attributable to the use and are not taken into account in computing the actual damages. In establishing such profits, the injured party or parties are required to present proof only of the gross revenue attributable to such use, and the person who violated this section is required to prove his or her deductible expenses. Punitive damages may also be awarded to the injured party or parties. The prevailing party in any action under this section shall also be entitled to attorney's fees and costs

The law requires prior consent, has a minimum damage of $750, allows the injured person to capture the profits of the violation, and provides for attorney's fees to the winner.

Beacon Advertisements

Facebook's Beacon advertising system was also launched in November of 2007. Beacon is similar to social ads in that it broadcasts a user's interaction with an advertiser to the feeds of that user's friends. However, Beacon is broadcasting information from third party websites such as Overstock.com, or Ebay. Facebook promises advertisers that all they need to do is "[a]dd 3 lines of code and reach millions of users." The advertisers determine which user actions on their website -- such as adding a movie to queue, or purchasing an item, or signing up for the site -- will generate feed messages.

As originally designed, users were given a brief time-limited alert which gave them the ability to opt-out of each message. As launched, the application did not permit a global opt out and did not require an affirmative opt-in before each message was broadcast.

An example of the "toast" pop up that Facebook provides.
To opt out, a user must click on "No thanks" before the pop-up disappears. Image from RadiantCore.

Following protests, Facebook added two user controls to Beacon. First, users would be asked to affirmatively opt-in before a new site sent messages to their friends. Once they approved one message from that site, no further opt-ins were required. Secondly, CEO Mark Zuckerbereg announced that Facebook will allow users to globally opt-out of Beacon, preventing all message publication.

Facebook Blocks Secret Crush Over Adware Row, The Register, January 8, 2008. "Facebook has blocked the "Secret Crush" widget for violation of its terms of service, following a row about the use of the application to dupe users into downloading adware onto their PCs."

Facebook Locks Out Plaxo, ZDNet, January 4, 2008. "Social-networking site Facebook has fought off a major-league blogger's bid to extract his own contact list from the service, using a utility from rival site Plaxo, highlighting the unanswered question of who owns data associated with people's identities on social-networking sites."

Facebook and the VPPA. The Laboratorium, December 10, 2007. A law professor discusses how Facebook Beacon may violate the Video Privacy Protection Act when it broadcasts a user's movie selections on the Blockbuster website.

International Privacy Officials Recommend Social Networking Privacy Safeguards. The International Working Group On Data Protection in Telecommunications has released a report and guidance (pdf) on privacy in social networking services. The report identifies risks to privacy and security, and provides guidance to regulators, service operators and users to counter these risks. Risks include the large amount of data collection; the misuse of profile data by third parties; insecure infrastructure and application programming interfaces. Regulators should ensure openness, and oblige data breach notification. Providers must be transparent; live up to promises made to users; and use privacy friendly defaults. Privacy and consumer groups are also recommended to raise the awareness of regulators, providers and the general public. (Apr. 17, 2008)

Facebook Eases Account Deletion, Default Third Party Information Sharing Remains.After recent criticisms concerning the practical impossibility of deleting account information, Facebook has changed its help page on deletion. Users may now contact Facebook to request permanent deletion of their information. However, Facebook's default sharing of excess personal information with thousands of third party application developers remains. User information travels to these third parties when they or their friends add an application to their profiles. Facebook disclaims all liability from what happens to that information. For more, see EPIC's page on Facebook. (Feb. 19. 2008)

UK Commissioner to Investigate Facebook Data Retention. Social networking site Facebook is under investigation by the UK Information Commissioner for its data retention practices. Facebook users may "deactivate" their accounts, leaving their personal information on Facebook servers but inaccessible to the public. Users have to individually delete each profile element. The investigation follows a complaint from a user unable to fully delete his profile. The Information Commissioner is an independent authority that enforces and oversees the Data Protection Act. (Jan 22, 2008)

Facebook Announces Beacon Opt-out, Promises Not to Retain Data. Social networking site Facebook announced that users would be able to globally opt-out of the "Beacon" advertising system. Beacon collects information on interactions with third party sites such as Fandango and Ebay. Beacon then broadcasts this information to a user's Facebook friends. Security researchers recently revealed that Beacon collects information on all users of those third party sites, not just Facebook members. Facebook's announcement promises that they will not keep or use this information on non-members and those who have opted out. (Dec 4, 2007)

Facebook Caves to Privacy Demands, Adopts Limited Opt-In. Social networking site Facebook.com significantly modified the privacy features of its new "Beacon" advertising system. Facebook users found their purchases on third party sites were being broadcast to their Facebook friends. Users had only limited options for opting out of the broadcast. In response to complaints from EPIC, the Center for Digital Democracy, Moveon.org, and thousands of users, Facebook will now ask that users opt-in before broadcasting their details. Facebook will continue to collect information from third party sites and will continue to ask for opt-ins until the user consents. (Nov 30, 2007)

Facebook to Collect, Distribute User Interactions With Third Party Sites. Social networking website Facebook.com introduced its "Beacon" feature to much controversy. Facebook users who shop at third party websites will have their purchases broadcast to their friends via Facebook. Facebook receives this third party information and shares it unless user opt-out during a brief pop-up window at the third party site. Interest group MoveOn.org has started a petition campaign and Facebook group against this feature. The MoveOn petition and Facebook group demand that Facebook share user information only with explicit opt-in permission. Facebook considered, but did not adopt, a blanket opt-out for the beacon feature. (Nov 28, 2007)

Facebook Unveils New "Social Ads." Social networking site Facebook.com unveiled "social ads," a new advertising product. Marketers create Facebook profiles and purchase advertising targeting other users profile information. Further, a users name and picture will be shown to their friends in promotion of a product after that user interacts with the marketer in some way. A law professor has questioned whether this violates the privacy tort prohibiting commercial appropriation of name and likeness. Facebook's privacy settings do not currently allow one to opt out of receiving marketing or being used in it. (Nov. 14, 2007)

Facebook Responds to Users' Demands. In response to the negative reactions of so many of its users, Facebook put new privacy controls on the News Feed feature into operation. Mark Zuckerberg, the CEO of Facebook, published an open letter on the Web site on September 8th apologizing for not having consulted with users prior to introducing feature, which notified users of all their contacts' activities, such as profile changes from "in a relationship" to "single." However, the change is simply an opt-out and puts the burden on Facebook users to protect their privacy. Over 700,000 users signed an online petition demanding the company discontinue the feature, stating that this compromised their privacy. (Sept. 25, 2006).

Outcry Over New Facebook Feature. When social networking Web site Facebook introduced their new News Feed feature on September 5, the company was accused of invading the privacy of its users and facilitating stalking. The goal of the new feature was to make it easier for users to keep up to date with the latest happenings in the lives of their online friends. However, user upset at its introduction sparked debate over how much control users expect to have over the information they place on these Web sites, and also whether the means of dissemination of this information matters. (Sept. 5, 2006).